When a company or organization falls victim to a data breach, one decisive way to mitigate the effect of the intrusion or the unintended disclosure of people’s sensitive information is to make sure that victims are notified as soon as possible in order for them to become aware that their data has been compromised and make necessary actions. However, there is no federal law that prescribes when and how data breach disclosures should be carried out.
Because of this, at least nine states, led by California, has been very proactive in passing new laws that would require companies and organizations who experienced a data breach to notify their clients and members as soon as possible, a blog post from Data Protection Report by Norton Rose Fulbright reveals.
One of the most famous of these new and expanded data breach notification laws is the California Consumer Privacy Act (CCPA), and while it gets more attention than other, eight other new legislation for data breach disclosures were passed or is being voted by different states across the U.S.
Illinois, Maine, Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, and Washington have all amended their breach notification laws to either expand their definitions of personal information or to include new reporting requirements.
In Illinois, the Governor is expected to sign an amendment to the Personal Information Protection Act. The expanded law will require companies to notify the Attorney General in case a data breach happens involving at least 500 Illinois residents. Moreover, as part of the amendment, the Attorney General will also be allowed to report and disclose details about the breach even prior to the companies publicly disclosing them.
Similar amendments to Massachusetts’ data breach notification law went into effect on April 11, 2019, which requires a company to offer complimentary credit monitoring for 18 months if a breach involves a resident’s Social Security number. To avoid delays in notifying the victims, the amended law requires the disclosure to be done on a “rolling basis.” Furthermore, if the data involved in the breach belongs to a third-party, the third-party has to be named in notifying victims, and the public and business are now required to inform regulators if they have “a written information security program.”
Maryland’s Personal Information Protection Act has also been amended “(1) expands the scope of businesses covered by the law to include businesses that own, license or maintain personal information of Maryland residents; (2) prohibits a business responsible for a breach from charging the applicable data owner or licensee for information needed for notification; and (3) prohibits business from using information “relative to the breach” for purposes other than providing notification regarding the breach, protecting or securing applicable personal information, and providing notification to certain information security organization to alert and avert future breaches,” and the amendments are scheduled to take effect on October 1, 2019.
The definition of “personal information” has also been expanded in New Jersey to include usernames, email addresses, passwords, and security questions and answers affiliated with an individual’s online account and a written or electronic notice is required for victim notification. Similarly, in New York, Stop Hacks and Improve Electronic Data Security Act has also been expanded to include similar information as that of the amendment in New Jersey.
Vendors must now notify any contracted “covered entity” within 10-days of discovering a breach of security in Oregon, as well as the Attorney General, if the offense involves more than 250 consumers or if the number of individuals affected is unknown. The victims and the Attorney General are also to be notified with a “reasonable period” not exceeding 60 days after the discovery of the breach in Texas.
All in all, the common theme in the amendments among the nine states are the expansion of the definition of ‘personal information’ which also redefines what a ‘data breach’ means and the prescription of a timeline that companies should follow in notifying victims of data compromise. Lastly, most of these amendment also include notifying the Attorney General in case a breach happens.